{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# 步骤三：（仅alice和bob）数据授权"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "这一步alice和bob需要对数据的使用进行授权，比如允许与哪些参与方的指定数据进行联合计算、允许执行的代码等，TrustedFlow称之授权策略（policy）。TrustedFlow提供了一套语法用于表述授权策略，您可以阅读[授权策略](../architecture/policy.md)了解更多。\n",
    "\n",
    "我们继续以breast cancer数据集为例，alice和bob期望联合双方的数据依次进行求交、数据集拆分、树模型（XGBoost）建模、树模型（XGBoost）预测、二分类评估。为了达成这一目标，alice和bob需要分别对各自的数据进行授权。该步骤的内容alice和bob均需要分别执行。\n",
    "\n",
    "需要授权的policy包含几个方面：\n",
    "- 授权的机构ID\n",
    "- 授权的算法\n",
    "- 授权的数据列\n",
    "- 授权的一些约束（可选）"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## 选项一：仿真模式\n",
    "\n",
    "1. 编写授权策略\n",
    "\n",
    "我们需要在cli.yaml里编写授权策略。\n",
    "\n",
    "alice的授权示例写法如下，该策略表达了以下含义：\n",
    "\n",
    "- `data_uuid`和`grantee_party_ids`：alice允许carol使用breast_cancer_alice这份数据。\n",
    "- `columns`: 允许使用数据的这些列：id、mean radius、mean texture、mean perimeter、mean area、mean smoothness。\n",
    "- `op_constraints_name`: 允许执行以下计算：数据求教（OP_PSI）、数据拆分（OP_DATASET_SPLIT）、XGB训练（OP_XGB）、XGB预测（OP_XGB_PREDICT）、二分类评估（OP_BICLASSIFIER_EVALUATION）。关于算子的更详细说明，可以阅读[可信应用](../architecture/apps/index.rst)。\n",
    "\n",
    "下面的配置还需要您根据实际情况进行完善，包含：\n",
    "\n",
    "- grantee_party_ids：请填写真实的carol机构ID（如何生成机构ID，可以阅读步骤二[第三步](./step2.html#第三步：上传数据密钥)中的仿真模式。\n",
    "\n",
    "```yaml\n",
    "register_data_policy:\n",
    "  scope: default\n",
    "  data_uuid: breast_cancer_alice\n",
    "  grantee_party_ids:\n",
    "    -\n",
    "      - carol的机构ID\n",
    "  columns:\n",
    "    -\n",
    "      - id\n",
    "      - mean radius\n",
    "      - mean texture\n",
    "      - mean perimeter\n",
    "      - mean area\n",
    "      - mean smoothness\n",
    "  op_constraints_name:\n",
    "    - \n",
    "      - OP_PSI\n",
    "      - OP_DATASET_SPLIT\n",
    "      - OP_XGB\n",
    "      - OP_PREDICT\n",
    "      - OP_BICLASSIFIER_EVALUATION\n",
    "  ```\n",
    "\n",
    "  同理bob也需要修改自己的cli.yaml，需要记得修改`data_uuid`的值为`breast_cancer_bob`。\n",
    "\n",
    "2. 提交授权策略\n",
    "\n",
    "执行以下命令，提交授权策略到CapsuleManager。\n",
    "\n",
    "```bash\n",
    "cms register-data-policy\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## 选项二：SGX模式\n",
    "\n",
    "### 第一步：获得可信APP的度量值\n",
    "\n",
    "与仿真模式相比，SGX模式额外需要获取可信APP的mrenclave，前文已经涉及到相关概念，相信到此时您已经对mrenclave不再陌生。\n",
    "\n",
    "1. 启动可信APP容器\n",
    "\n",
    "```bash\n",
    "docker run -it --name teeapps-sgx --network=host -v /dev/sgx_enclave:/dev/sgx/enclave -v /dev/sgx_provision:/dev/sgx/provision --privileged=true secretflow/teeapps-sgx:0.1.0b0 bash\n",
    "```\n",
    "\n",
    "2. 配置PCCS地址\n",
    "\n",
    "修改PCCS的配置文件/etc/sgx_default_qcnl.conf，把PCCS_URL配置为carol的PCCS服务地址（您应该向carol获取此信息）。\n",
    "\n",
    "```bash\n",
    "# PCCS server address\n",
    "\"pccs_url\": \"https://localhost:8081/sgx/certification/v4/\"\n",
    "\n",
    "# To accept insecure HTTPS certificate, set this option to FALSE\n",
    "\"use_secure_cert\": false\n",
    "\n",
    "```\n",
    "\n",
    "修改/home/teeapp/occlum/occlum_instance/image/etc/kubetee/unified_attestation.json，将ua_dcap_pccs_url配置为carol的PCCS服务地址（您应该向carol获取此信息）。\n",
    "\n",
    "```json\n",
    "{\n",
    "    \"ua_ias_url\": \"\",\n",
    "    \"ua_ias_spid\": \"\",\n",
    "    \"ua_ias_apk_key\": \"\",\n",
    "    \"ua_dcap_lib_path\": \"\",\n",
    "    \"ua_dcap_pccs_url\": \"https://localhost:8081/sgx/certification/v3/\",\n",
    "    \"ua_uas_url\": \"\",\n",
    "    \"ua_uas_app_key\": \"\",\n",
    "    \"ua_uas_app_secret\": \"\"\n",
    "}\n",
    "```\n",
    "\n",
    "3. 构建可信APP\n",
    "您首先需要生成私钥，然后使用以下命令构建occlum。生成私钥可以参考下列脚本，生成的私钥保存在当前目录的private_key.pem。请妥善保存您的私钥，不要泄露给其他人。\n",
    "\n",
    "```bash\n",
    "openssl genrsa -3 -out private_key.pem 3072\n",
    "```\n",
    "\n",
    "生成公私钥后，使用私钥构建occlum。\n",
    "\n",
    "```bash\n",
    "occlum build -f --sign-key private_key.pem\n",
    "```\n",
    "\n",
    "4. 获取mrenclave\n",
    "\n",
    "执行下列命令可以获得可信APP的mrenclave，输出内容为一串十六进制字符串，您可以保存下来，后续步骤会使用到。\n",
    "\n",
    "```bash\n",
    "occlum print mrenclave | tr a-z A-Z\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### 第二步：数据授权\n",
    "\n",
    "1. 编写授权策略\n",
    "\n",
    "我们需要在cli.yaml里编写授权策略。\n",
    "\n",
    "alice的授权示例写法如下，该策略表达了以下含义：\n",
    "\n",
    "- `data_uuid`和`grantee_party_ids`：alice允许carol使用breast_cancer_alice这份数据。\n",
    "- `columns`: 允许使用数据的这些列：id、mean radius、mean texture、mean perimeter、mean area、mean smoothness。\n",
    "- `op_constraints_name`: 允许执行以下计算：数据求教（OP_PSI）、数据拆分（OP_DATASET_SPLIT）、XGB训练（OP_XGB）、XGB预测（OP_XGB_PREDICT）、二分类评估（OP_BICLASSIFIER_EVALUATION）。关于算子的更详细说明，可以阅读[可信应用](../architecture/apps/index.rst)。\n",
    "- `global_constraints`: 限制可信APP的mrenclave。\n",
    "\n",
    "下面的配置还需要您根据实际情况进行完善，包含：\n",
    "\n",
    "- grantee_party_ids：请填写真实的carol机构ID（如何生成机构ID，可以阅读步骤二[第三步](./step2.html#第三步：上传数据密钥)中的仿真模式。\n",
    "- r.env.tee.mr_enclave: 填写上一步所获得的可信APP mrenclave。\n",
    "\n",
    "```yaml\n",
    "register_data_policy:\n",
    "  scope: default\n",
    "  data_uuid: breast_cancer_alice\n",
    "  grantee_party_ids:\n",
    "    -\n",
    "      - carol的机构ID\n",
    "  columns:\n",
    "    -\n",
    "      - id\n",
    "      - mean radius\n",
    "      - mean texture\n",
    "      - mean perimeter\n",
    "      - mean area\n",
    "      - mean smoothness\n",
    "  global_constraints:\n",
    "    -\n",
    "      - r.env.tee.mr_enclave==\"xxxx\"\n",
    "  op_constraints_name:\n",
    "    - \n",
    "      - OP_PSI\n",
    "      - OP_DATASET_SPLIT\n",
    "      - OP_XGB\n",
    "      - OP_PREDICT\n",
    "      - OP_BICLASSIFIER_EVALUATION\n",
    "  ```\n",
    "\n",
    "  同理bob也需要修改自己的cli.yaml，需要记得修改`data_uuid`的值为`breast_cancer_bob`。\n",
    "\n",
    "2. 提交授权策略\n",
    "\n",
    "执行以下命令，提交授权策略到CapsuleManager。\n",
    "\n",
    "```bash\n",
    "cms register-data-policy\n",
    "```"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## （可选）自定义授权策略\n",
    "\n",
    "在快速上手的示例之外，您可以探索更多的授权策略，根据自己的需求对数据进行授权，参见[授权策略](../architecture/policy.md)。"
   ]
  }
 ],
 "metadata": {
  "language_info": {
   "name": "python"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 2
}
